IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Include the CA basic constraint in CSRs when renewing a CA

Browse Source 
The CSR generated by `ipa-cacert-manage renew --external-ca` did
not include the CA basic constraint:

  X509v3 Basic Constraints: critical
      CA:TRUE

Add a flag to certmonger::resubmit_request to specify that a
CA is being requested.

Note that this also sets pathlen to -1 which means an unlimited
pathlen. Leave it up to the issuing CA to set this.

https://pagure.io/freeipa/issue/7088

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This commit is contained in:
Rob Crittenden 2017-08-09 17:28:35 -04:00 committed by Pavel Vomacka
parent 7ef6de931b
commit a37e90530f
2 changed files with 13 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
ipalib/install/certmonger.py
View File

@ -519,16 +519,25 @@ def modify(request_id, ca=None, profile=None):
request.obj_if.modify(update) request.obj_if.modify(update)
def resubmit_request(request_id, ca=None, profile=None): def resubmit_request(request_id, ca=None, profile=None, is_ca=False):
"""
:param request_id: the certmonger numeric request ID
:param ca: the nickname for the certmonger CA, e.g. IPA or SelfSign
:param profile: the dogtag template profile to use, e.g. SubCA
:param is_ca: boolean that if True adds the CA basic constraint
"""
request = _get_request({'nickname': request_id}) request = _get_request({'nickname': request_id})
if request: if request:
if ca or profile: if ca or profile or is_ca:
update = {} update = {}
if ca is not None: if ca is not None:
cm = _certmonger() cm = _certmonger()
update['CA'] = cm.obj_if.find_ca_by_nickname(ca) update['CA'] = cm.obj_if.find_ca_by_nickname(ca)
if profile is not None: if profile is not None:
update['template-profile'] = profile update['template-profile'] = profile
if is_ca:
update['template-is-ca'] = True
update['template-ca-path-length'] = -1 # no path length
request.obj_if.modify(update) request.obj_if.modify(update)
request.obj_if.resubmit() request.obj_if.resubmit()

3
ipaserver/install/ipa_cacert_manage.py
View File

@ -303,7 +303,8 @@ class CACertManage(admintool.AdminTool):
timeout = api.env.startup_timeout + 60 timeout = api.env.startup_timeout + 60
logger.debug("resubmitting certmonger request '%s'", self.request_id) logger.debug("resubmitting certmonger request '%s'", self.request_id)
certmonger.resubmit_request(self.request_id, ca=ca, profile=profile) certmonger.resubmit_request(self.request_id, ca=ca, profile=profile,
is_ca=True)
try: try:
state = certmonger.wait_for_request(self.request_id, timeout) state = certmonger.wait_for_request(self.request_id, timeout)
except RuntimeError: except RuntimeError: